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A new cryptographic tool, anonymous quantum key technique, is introduced that 
leads to unconditionally secure key distribution and encryption schemes that can be 
readily implemented experimentally in a realistic environment. If quantum memory 
is available, the technique would have many features of public-key cryptography; an 
identification protocol that does not require a shared secret key is provided as an illus- 
tration. The possibility is also indicated for obtaining unconditionally secure quantum 
bit commitment protocols with this technique. 



This paper has the same title as my Capri talk but the contents are not identical. The 
r^ ' portion on anonymous key is greatly expanded here, while only brief mention is made on 

quantum bit commitment, a detailed treatment of which is available in Ref. ||l|. 



A classic goal of cryptography is privacy: two parties wish to communicate privately so 
that an adversary can learn nothing about its content. This was usually achieved through the 
use of a shared private key, typically a string of binary digits, for encrypting and decrypting 
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c^ ■ the message data. A revolution in cryptography occurred around 1976 with the emergence 

of public-key cryptography , in which knowledge of a public key for encryption would not 
lead to knowledge of a secret private key for decryption. The concept of digital signature, the 
binding of a signer to an electronic digital message, was introduced via public-key technique. 
The idea of using quantum physics for cryptographic purpose was first proposed by Wiesner 
in the early 1970's 0. It came to fruition in the work of Bennett and Brassard [|] on key 
distribution, culminating in an experimental prototype demonstration ^. Despite earlier 
papers on the use of quantum cryptography to achieve other cryptographic goals, it turns 
out that key distribution is the only viable one so far 0. Also, the lack of a quantum 
authentication scheme implies that some standard classical technique has to be employed 
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which takes away some of the novelty of the quantum techniques, which at first sight seem 
to be pubhc-key type protocols that do not require the prior sharing of secret information. 

Consider two users, Adam and Babe, with a powerful adversary Eve who can manipulate 
all the communications between them. In an intruder-in-the-middle or impersonation attack. 
Eve can pretend to be Adam to Babe, and Babe to Adam, in all the known quantum proto- 
cols. If Adam and Babe do not have a prior shared secret key for message authentication, it 
is often assumed that a non-jammable classical public channel would prevent impersonation. 
This, however, is not the case as there is still a user authentication {identification) prob- 
lem — without some shared prior framework there is nothing that distinguishes Babe from 
an impersonator. Specifically, other than "eavesdropping" Eve may pretend to be Babe and 
trick Adam to tell her something that he would only tell Babe. The use of a shared secret key 
for authentication reduces the quantum cryptosystem to a key expansion scheme as noted 
in Ref. 0, without many advantages of a public-key system. In particular, a separate key 
is needed for each pair of users which causes major problems in a network environment. 
In standard cryptography there are a variety of approaches [0] to dispense with the use of 
shared secret keys, notably the use of digital signature for identification that is capable of 
preventing the identifier or verifier to pretend to be the identifiee. 

In this paper a new cryptographic tool, anonymous key encryption (AKE) , is introduced 
in the quantum context that has no known parallel in standard cryptography. In AKE, 
the encrypter does not know the value of his encrypted message. If quantum states can 
be stored, i.e., if quantum memory is available which is a subject of active current effort, 
the AKE technique can be extended to a general anonymous key technique that leads to 
various forms of digital signature and to a public-key type identification protocol, to be 
called anonymous key identification (AKI), which does not require any shared secret key. 
For key distribution, an unconditional security proof on the use of AKE would be described 
for qubits, and it would be indicated how a similarly secure protocol may be obtained in 
the presence of noise and loss by using classical error correcting codes. The possible use of 
large-energy coherent states would also be indicated. 

Let \tpA) ^ T^, where 7i is an arbitrary quantum state space, be a state known only to 
Adam and transmitted by him to Babe. Depending on the message j G {1, ■ ■ ■ ,m} = M. 



that Babe wants to send to Adam, she modulates \iPa) with a unitary transformation U^ 
and send U^\iI)a) back to Adam. From knowledge of |^^) and the openly known f/^, Adam 
can decrypt j. The idea is that without knowing \iPa)i Eve cannot tell j without significant 
error. The name anonymous key encryption is chosen because \ipA) acts like an encryption 
key for Babe to generate the encrypted signal U^\iI)a) with data j. Often one has n qubits 
H = {8)"7^2 with M = {0, 1}'^. 

Consider the following concrete AKE system for a single qubit m = 2,n = 1, so that an 
arbitrary pure state p^ = \iPa){'^a\ is represented in terms of a real vector f G R^ via the 
Pauli matrices a, in component form 

PA = ^{I + riai+r2a2 + r3(T3), |r|^ = 1 (1) 

If Pa is one of M possible uniformly distributed states on the (0-1,(73) great circle of the 
Bloch sphere (or Poincare sphere in the context of photon polarization), we have 
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ri=cos—,r2 = 0,r3 = sm— £g{1,...,M} (2) 

If j = 1, Babe rotates pa by an angle | clockwise on this great circle, and if j = 0, 
she rotates it by an angle ^ counterclockwise, i.e., U^ = U{(f)j), the rotation matrix with 
(pj = ±^. These two states are orthogonal in a basis known only to Adam, which he can 
measure to determine j. Equivalently, the rotation angles may be {0,7r} or some other 
pairs. In order that U{(f)j)\ipA) is one of the M possible states Pa(^) of (1) — (2), M is 
taken to be a multiple of 4. If Adam picks PaI^^) randomly, the resulting density operator 
Pb = Y.ej^U{(f)j)pA{(^)U'^{4>j) from i? to A is the same for either j. Thus, even if Eve has 
an identical copy |^ of the state sent back to A, she can gain no information on j. This 
generalizes to a sequence of independent p\{i) with independent i, for which Eve's optimal 
joint attack on ps just factorizes into a product of individual attacks. 

The security analysis is carried out via the theory of optimal M-ary quantum detector 



g, |10] in which 1 out of M possibilities, each described by a state pj and a priori probability 
Pj, is selected to optimize a given performance criterion. The selection is based on the result 
of a general quantum measurement described by a positive operator- valued measure (POM), 
which is specified to yield the optimal performance. If Eve attempts to identify pa(^) by 



intercepting the transmission to Babe, the best she can do is given by the optimum M-ary 
quantum detector for discriminating the states (1) — (2), which has been worked out before. 
Lemma 3 of Ref. [^ gives the optimum quantum measurement in the form of a POM, with 
corresponding probabihty of correct identification given by P^ = 2/M. However, even if Eve 
makes an error, her estimated state is still useful for eavesdropping purpose and a different 
criterion needs to be used. Generally, it is the probability Pa that Eve's estimated state is 
accepted to be correct by Adam as a result of his measurement. 

Pa = j:^pi^y)^^pAi^)pA{n (3) 

£,£' ^^^ 

where p{i'\i) = trn(£')p^(£) is the probability that given Pa(^) was transmitted. Eve takes 
it to be p^{i') from measuring the POM !!(£'). Such a criterion falls under the general 
optimum quantum detector formulation, and the optimum Il{i') for (3) turns out ||ri| to be 



the same as that of determining Pa{^) according to the error probability criterion, which is 
intuitively reasonable. The resulting Pa is given by 3/4 independently of M (but recall that 
M is a multiple of 4). Thus, if Eve measures n(£') to determine Pa^^), perhaps because she 
cannot store the actual Pa{^), and transmits Pa{^') to Babe, determines j by measurement on 
U{(j)j)p^{l')U\(f)j) from Babe, and sends the resulting state back to Adam, the probability 
that Adam decrypts correctly is 3/4. Pure guessing without measurement yields Pa = 1/2. 
This Pa = 3/4 would be reduced to 2/3 if the whole Bloch sphere is utilized, with pA given 
by (1) with ri = sin6'cos0, r2 = cos6',r3 = sin 6^ sin 0, and e.g., U^ = U{9j),9j = ±| with (p 
unchanged. In the case (2), M = 4 is enough to yield Pa = 3/4, and in this case a total of 
M = Q states []T^| on the poles of any rectangular coordinate system intercepting the Bloch 



surface would yield Pa = 2/3. In both cases Eve can get these values of Pa without knowing 
M by measuring an orthogonal basis chosen randomly from the M possible states. Evidently 
Pa can be further reduced if a higher dimensional H is used. 

If Eve could intercept and store Pa{^), she could eavesdrop perfectly by sending her own 
Pe{C-') to Babe in an impersonation attack. Such manipulation can be detected with test 
qubits mixed into the information qubits. However, a different approach is employed here 
in which Babe sends her modulated qubits back to Adam in a random order. This has the 
advantage that all possible eavesdroppings can be thwarted without checking for disturbance. 



thus allowing a simple proof of protocol security for key establishment. In this scheme, Adam 
and Babe use AKE with 8k qubits to establish a key of length 4k while expending a shared 
secret key of length 2k, resulting in a net key expansion of 2k as follows. For each 8 qubit 
block, Babe sends back the qubits in one of the following four orders equiprobably using 2 
secret bits: 12345678, 87654321, 38462715, 41236587. These four sequences are chosen so 
that there is no qubit overlap in any position among the eight. Eve can alter the qubits 
from A to B in an impersonation attack, or to conduct opaque eavesdropping, or to conduct 
translucent eavesdropping by tapping into the communications between A and B to learn 
about j. The probability that Eve guesses q of the k qubit groups in the right order in an 
impersonation attack is given by the binomial distribution with success probability 1/4, and 
thus is exponentially small in q. The rest she induces an error probability Pg = 1/2 per qubit 
for Adam, and the key establishment would fail in a trial encryption. 

Eve may employ an opaque eavesdropping strategy by intercepting and re-transmitting 
the states from A to B and B to A. Instead of using disturbance detection, we merely 
use classical privacy amplification (CPA) |T^ to eliminate Eve's partial information. Eve's 
success probability Pc per qubit is bounded as follows. We grant her one copy of Pa{^) and 
one copy of the corresponding correct U {(p j) p a{()U\(I) j) , i.e., we allow Eve to intercept both 
copies exactly as if there is no disturbance and the order is correct. From these two copies 
she can try to learn j by optimally processing both states. This is a binary detection problem 
with two states 

for which the optimum probability of discrimination can be obtained by diagonalizing po — pi 
0. The resulting optimum probability Pc she would determine j correctly turns out to be the 
same as that obtained by measuring the optimum state detector on the copy Pa{^) from A to 
B and then measuring whether the state psi"^) from B to A is clockwise or counterclockwise 
with respect to Pa{^), which is intuitively reasonable, and is given by Pc = Pa- If Eve 
launches a joint attack by making measurements on blocks of qubits, she cannot obtain a 
better accuracy than that of measuring one by one — the optimum quantum detector for 



the bit error sum factorizes when both the states and the data probabihties of the blocks 
factorize into a product from the corresponding bits. 

In translucent eavesdropping, Eve would try to determine the data j by correlating her 
tappings from A to B and B to A. She can do this in the correct order only with probability 
1/4. Thus, to (loosely) bound all the possible information Eve can obtain, we let her succeed 
in learning the bits exactly with probability 1/4, and with probability 3/4 we let her learn 
the bits with probability Pc = Pa as in (4) above. For Pa = 3/4, this yields a total of 2k 
deterministic bits and < k Shannon bits, which can be eliminated by expending 4k bits or 
just 3k bits asymptotically P, |13|. This completes the security proof in the ideal limit. 



Note that no quantum memory is required in this scheme. We have used very loose 
bounds to avoid complex arguments and bounding techniques, but the resulting efficiency 
is still appreciable. The present AKE has no apparent classical analog because listening to 
both the transmissions from A to B and B to A would reveal too much about the bits in 
a classical system even when the bit order is random. The intrinsic statistical feature of 
quantum ontology, that it is impossible to determine the state of a single quantum system 
exactly, is directly expoited in AKE. The basic ingredients of our security guarantee are: 
use of qubit order randomization to thwart manipulation and correlation, use of optimum 
quantum detector and copies to Eve to bound her partial information which is eliminated 
by classical privacy amplification, and use of classical error correcting code to overcome loss 
and noise to be presently discussed. In particular, the explicit use of a shared secret key for 
key expansion, in this case in obtaining secret qubit orders, is a new technique that I expect 
to be widely applicable in many scenarios. 

The major problem for quantum security proof lies in the presence of loss and noise 
in realistic systems. It should be clear that the above security proof does not depend on 
detecting small disturbance by Eve, and can thus be expected to work in a similar way in the 
presence of small noise and loss with some simple error correction capability. In particular, 
one may employ classical error correcting codes (CECC) on qubits in lieu of quantum codes. 
Thus, each codeword in a CECC (xj), Xi G {0, 1}, becomes a codeword of quantum states 
(|xj)), where \xi) is the state corresponding to and 1 in the quantum modulation scheme 
adopted. No reconciliation]^ is needed with the use of CECC. 
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The protocol for AKE key distribution is in general: 

(i) Adam sends enough randomly chosen |'?/'a)'s to Babe to cover the loss and noise in 
transmission to Babe as well as the CECC Babe needs to use for transmission back to 
Adam. 

(ii) Babe modulates the information qubits in a known CECC, sends the resulting qubits 
to Adam in a random order according to a short shared secret key. 

(iii) Some form of CPA is employed by Adam to eliminate any possible leakage of informa- 
tion which is strictly bounded. 

(iv) The resulting key is checked for correctness by a trial encryption. 

There are many variations of this protocol including the use of test qubits or quantum 
memory in lieu of shared secret key. There are also many ways to use AKE for direct 
encryption. These topics and the security proof of the above protocol will be developed 
elsewhere. 

If quantum states can be stored, some features of public- key cryptography can be obtained 
as follows. In classical public-key cryptography, a one-way function /: X — > Y is roughly a 
map for which one can obtain y = /x G Y from x G X readily but it is "infeasible" to obtain 
X from fx. A one-way trapdoor function results if x can be readily obtained from fx with 
additional "trapdoor information" relating to / [|n|. For a physically given \iPa), the function 



M. ^> Ti with j mapped into U^\iI)a) can be regarded as a quantum one-way function with 
trapdoor information given by the knowledge of the actual state IV'a), to be denoted KipA- 
Thus, \iPa) functions like a quantum public key while Kip a is the private key. Similar to 
the usual one-way trapdoor function, one can obtain the physical state U^\iIja) with a given 
pubhc key \iPa)^ but cannot obtain from UflipA) the value j without the knowledge KipA- 
This is the general formulation of the anonymous quantum key technique. It is clear that 
AKE can be described in this way, with Adam sending Babe his public key \ipA) and Babe 
using lip a) to encrypt a message j which only Adam can decrypt with Kip a- With \%Pa) 
representing a sequence of qubits, a number of standard public key protocols can be recasted 
in the quantum domain. For example, one-time digital signatures and blind signatures 
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can be implemented this way. Here, we would use the anonymous key technique to obtain 
a quantum identification protocol AKI of the challenge-response type in which the identifier 
cannot pretend to be the identifiee and which is an exact analog of a protocol [^ based 
on classical digital signature. In AKI Adam uses his stored |0_b), 0_b unknown to him, to 
identify Babe in the following way. He modulates |0b) € 7^2 with a randomly chosen (pA 
and transmits \(J)b + 0a) to Babe, say for states of the form (1) - (2), and asks her to return 
the state |0A)with (pB removed which Babe is capable of doing by just adding —(pB to the 
angle in |0b + (pA). Adam checks by measuring the projection to \(pA). The random (pA is 
necessary, or else Eve can just return the state |0 = 0), where = is the reference angle, 
without using 10^) sent by Adam. The protocol can be simply summarized: 

(i) A^B: I0B + 0A) 

(5) 
(ii) B^A: \ct)A) 

The probability that Adam or Eve could successfully impersonate Babe is Pa for one qubit, 
which can be brought to any desired security level Ps = {Pa}"^ with m qubits exponentially 
efficiently. Apart from using quantum laws instead of number theoretic complexity assump- 
tions, the security of this protocol is evidently the same as the conventional public-key 



challenge-response indentification protocol [|15| . Note that the success of AKI is independent 
of that of AKE, with both being examples of the anonymous quantum key technique. 

This technique can also be used to obtain unconditionally secure quantum bit commit- 
ment schemes, outside the framework of the impossibility proof , which is not sufficiently 
general to rule out all such schemes. In one of these. Babe sends anonymous states to Adam 
for bit modulation and the anonymous nature of the states prevents Adam from determining 
the cheating unitary transformation on his committed state. In another, the anonymous 
states prevent both Adam and Babe from cheating. A detailed treatment of quantum bit 
commitment is given in ref 0]. 

Some comments on possible experimental realization are in order. If (l)-(2) are realized 
via photon number polarization, a small M is sufficient as indicated after Eq. (3). Although 
our protocol is much simpler, the experimental setup would be quite similar to BB84, and 
the efficiency would suffer greatly in the presence of loss. In the present M-ary approach. 



however, it can be improved via large-energy coherent states by the use of a further new 
technique to be elaborated elsewhere. One underlying reason for such possibility can be 
explained. Consider the coherent states 

271 i 

\ao{cos 6i + i sin Oe), 61 = — (6) 

for a real positive ao in place of (1) — (2). Any two basis states of (6) have inner product 
exp(— 2q;q) ~ for large a^. When M ^ 00 or when M is unknown, one obtains Pa = 1/2 
with heterodyne detection and Pa < 2/3 for the canonical phase measurement which is the 
maximum likelihood phase estimator [|T^. This important behavior of having Pa independent 
of ao would also be obtained for a known finite M ^ ao, as a lower bound to the mean- 
square fluctuation {66y was obtained [l^ that goes as l/|ap for coherent states \a). In 



the Pa expression, this fluctuation would cancel out the a^ in the form 2al sin^ y when 
M > 211/66. A two-mode coherent state realization similar to (6), with |aocos6'^)|aosin6'^), 
can also be used. In either case M ~ 10^ is easily achievable in the laboratory, with much 
higher M > 10^ possible, so that large Oq can be used for overcoming loss and noise. This 
is not possible in previous quantum cryptosystems such as modified BB84 because large 
ao would lead to unambiguous determination of the states involved, which is not the case if 
there are many states M ^ oq. The use of (6) also allows the possibility of amplification and 
regeneration along the transmission path using quantum amplifiers |jl8[, as well as routing 



and switching in a network. Analysis of such coherent-state systems will be given in a future 
publication detailing how key distribution and encryption can be carried out. It appears 
that they hold great promise in making secure quantum cryptography truly practical. 
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